CVE-2014-0112

ParametersInterceptor in Apache Struts before 2.3.16.2 does not properlyrestrict access to the getClass method, which allows remote attackers to"manipulate" the ClassLoader and execute arbitrary code via a craftedrequest. NOTE: this vulnerability exists because of an incomplete fix forCVE-2014-0094.